May 2019’s Most Wanted Malware: Patch Now to Avoid the BlueKeep Blues

In May, the most significant event in the threat landscape was not a new type of malware: it was a serious vulnerability in older versions of Windows operating systems that – if exploited by criminals – could lead to the type of mega-scale ransomware attacks we saw in 2017 with WannaCry and NotPetya.

The vulnerability is the ‘BlueKeep’ Microsoft RDP flaw (CVE-2019-0708) in Windows 7 and Windows Server 2008 machines, which affects nearly 1 million machines accessible to the public internet, and many more within organizations’ networks. The reason this vulnerability is critical because it requires no user interaction in order to be exploited. RDP is already an established, popular attack vector which has been used to install ransomware such as Samsam and Dharma.

Our researchers are currently seeing many scanning attempts for the flaw, originating from several different countries globally, which could be the initial reconnaissance phase of an attack. One single computer with this flaw can be used to deliver a malicious payload that infects an entire network. Then all infected computers with Internet access can infect other vulnerable devices worldwide – enabling the attack to spread exponentially, at an unstoppable pace.

Other significant malware news in May was the developers of the GandCrab Ransomware-as-a-Service affiliate program announcing on the last day of the month that they were ceasing operation, and asking their affiliates to stop distributing the ransomware within 20 days. The operation has been active since January 2018, and in just two months had infected over 50,000 victims. Total earnings for its developers and affiliates are claimed to be in the billions of dollars. A regular in the Top 10 Most Wanted Index, Gandcrab was frequently updated with new capabilities to evade detection tools.

May 2019’s Top 3 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.

The three most prominent Cryptominers – Cryptoloot, XMRig and JSEcoin continue to top the malware index, each with a global impact of 4%.

↔ Cryptoloot – Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It was a competitor to Coinhive, trying to pull the rug under it by asking less percent of revenue from websites.

↔ XMRig – Open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.

↔ JSEcoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.

↔ Emotet – Advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and Evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.

↑ Lokibot– Lokibot is an Info Stealer distributed mainly by phishing emails, and is used to steal various data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.

↓ Dorkbot- IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.

↔ Trickbot– Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.

↑ Nivdort –Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.

↓ Agentesla- AgentTesla is an advanced RAT functioning as a keylogger and a password stealer.AgentTesla is capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).

May’s Top 3 ‘Most Wanted’ Mobile Malware:

This month Lotoor is the most prevalent mobile malware, up from 2nd in April. Triada drops from 1st to 3rd, while Hiddad climbs back up from 3rd to 2nd.

↑ Lotoor – Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.

↑ Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.

↓ Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.

May’s Top 3 ‘Most Exploited’ vulnerabilities:

In May we saw a comeback of traditional attack techniques (probably caused by the decrease in Cryptominers’ profitability), with SQL Injections techniques leading the top exploits vulnerabilities list with a global impact of 49%. Web Server Exposed Git Repository Information Disclosure and OpenSSL TLS DTLS Heartbeat Information Disclosure ranked second and third, impacting 44% and 41% of organizations worldwide respectively.

↑SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.

↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

↑ Joomla Object Injection Remote Command Execution (CVE-2015-8562)- A remote command execution vulnerability has been reported in Joomla platforms. The vulnerability is due to lack of validation over input objects that can lead to remote code execution. A remote attacker could exploit this vulnerability by sending a malicious request to the victim. Successful exploitation of this vulnerability can result in the execution of arbitrary code in the context of the target user

↓ Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.

↓ Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638) – A remote code execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-type as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.

↑ PHP DIESCAN information disclosure- An information disclosure vulnerability has been reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.

↓D-Link DSL-2750B Remote Command Execution – A remote code execution vulnerability has been reported in D-Link DSL-2750B routers. Successful exploitation could lead to arbitrary code execution on the vulnerable device.

↓ OpenSSL tls_get_message_body Function init_msg Structure Use After Free (CVE-2016-6309) – A use-after-free vulnerability has been reported in the tls_get_message_body function of OpenSSL. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted message to the vulnerable server. Successful exploitation allows the attacker to execute arbitrary code on the system.